Common elements in audit messages

Module ID: A four‐character identifier of the module ID that generated the message. This indicates the code segment within which the audit message was generated.

ANID

UI32

Node ID: The grid node ID assigned to the service that generated the message. Each service is allocated a unique identifier at the time the StorageGRID Webscale system is configured and installed. This ID cannot be changed.

ASES

UI64

Audit Session Identifier: Indicates the time at which the audit system was initialized after the service started up. This time value is measured in microseconds since the operating system epoch (00:00:00 UTC on 1 January, 1970). It can be used to identify which messages were generated during a given runtime session.

ASQN

UI64

Sequence Count: A counter that is incremented for each generated audit message on the grid node (ANID). This counter is reset to zero at service restart. It can be used for consistency checks to ensure that no audit messages have been lost.

ATID

UI64

Trace ID: An identifier that is shared by the set of messages that were triggered by a single event.

ATIM

UI64

Timestamp: The time the event was generated that triggered the audit message, measured in microseconds since the operating system epoch (00:00:00 UTC on 1 January, 1970). Note that most available tools for converting the timestamp to local date and time are based on milliseconds.

Rounding or truncation of the logged timestamp might be required. The human‐readable time that appears at the beginning of the audit message in the audit.log file is the ATIM attribute in ISO 8601 format. The date and time are represented as YYYY-MMDDTHH:MM:SS.UUUUUU, where the T is a literal string character indicating the beginning of the time segment of the date. UUUUUU are microseconds.

ATYP

FC32

Event Type: A four‐character identifier of the event being logged. This governs the "payload" content of the message: the attributes that are included.

AVER

UI32

Version: The version of the audit message. As the StorageGRID Webscale software evolves, new versions of services might incorporate new features in audit reporting. This field enables backward compatibility in the AMS service to process messages from older versions of services.

RSLT

FC32

Result: The result of event, process, or transaction. If is not relevant for a message, NONE is used rather than SUCS so that the message is not accidently filtered.